We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Peter Schooff

Pros and Cons of Big Security: Mike Talks to Alan Shimel

In this month's edition of the Mike Rothman Security Report podcast, Mike interviews blogger extraordinaire Alan Shimel of StillSecure, as they talk about the pro's and con's of security vendor consolidation. This is a top of mind issue for application security professionals, since the acquisitions in the space (HP/SPI Dynamics, IBM/Watchfire) have already started.

Alan and Mike debate about whether it's better to buy from a big or small vendor and what to look for when making those choices. Alan is also subjected to the Free Association treatment, where we get to hear Alan's views on the IBM/ISS acquisition and how to deal with the really big security vendors, like Symantec, McAfee and Cisco. The transcript follows:

MR: Welcome back to the Mike Rothman Security Report here on the ebizQ Network. In this month's podcast, we're going to talk a little about vendor dynamics because, obviously, if you've been in the security space, or even in any technology space for a certain amount of time, you know that companies innovate then they kind of get integrated in terms of a consolidation into some of the bigger, whether it's IT applications, or security vendors, and then, obviously, their impact on customers as well as just how they're going to use that product, whether its continued to be invest in, whether its end of life.

So there are a lot of different types of discussions that need to go around this idea of vendor consolidation and you kind of maturation of a lot of the technology markets. And I think application security has already entered that phase so I think it makes sense to talk about it.

And today, I'm very pleased to bring on a very good friend of mine; Alan Shimel from StillSecure who has been in the technology space as well as the security space for many years has been through a number of these different cycles. And I'm certainly going to ask Alan to kind of illuminate a little bit in terms of what the best perspective from a customer viewpoint is in terms of how to deal with these consolidating markets. Alan, how are you buddy; are you there?

AS: Yes. Mike thanks very much for having me, always a pleasure to do anything with my buddy, Mike Rothman.

MR: So first of all, I mean I know a lot of people, especially since ebizQ Network tends to focus a lot on the application side that may not know who the myth, the legend Alan Shimel is so why don't you just give a couple of seconds on who you are and what your company does.

AS: Sure. So Mike, never under estimate the reach Alan Shimel first of all. I'm sure many of your listeners and readers are intimately familiar with me. But in any event, my name is Alan Shimel. I'm one of the co-founders of a company called StillSecure. And StillSecure is a secure infrastructure provider. We've been around about, geez, about seven or eight years now. And we have products in the intrusion detection prevention space, vulnerability management, and we're probably best known for our network access control product or NAC called "Safe Access".

We also have a secured networking platform called "Cobia", C-O-B-I-A, which is a free download. StillSecure is based in Colorado, Mike. Prior to StillSecure as you said, I do have a rather lengthy history in technology, IT, internet, and have as we like to say, it's not my first trip on the tuna boat.

MR: That's exactly right. So great. Lets kind of jump into the topic today, Alan. There are a lot of different deals in the application security space. So last year, HP bought SPI Dyanmics. You also have seen some consolidation in the source code analysis, Watchfire bought by IBM so a lot of the big application development companies and, obviously, big IT shops are starting to inflict their mass on this little world that is application security. And obviously, you've seen this movie before so, what are customers really have to worry about? What are some of the considerations that they should have if their vendor gets acquired?

AS: Sure. So a couple of things Mike. First of all, the three biggest lies in market consolidation, probably the biggest lie is, No, we're not for sale. Any of your vendors who are telling you that they're not for sale, are lying to you because everyone is for sale, Mike, you know that, I that. For the right price, any company be it public or private can be had. And too many times I've seen vendors answer customers by saying, Oh no, we're not for sale.

We're here for the long run. We want to do this. We want to do that. We're going to change the world. All fine and dandy but the fact of the matter is, Mike, company can be bought at any time. And I think the faster you realize that the faster you know. Secondly, I think from an end user dealing with their vendor perspective, Mike, it's very important to look at products that are standards based, right.

Because when you lock yourself into Black Box Technology, you are at the mercy of whoever buys, or whoever the acquiring company is, or even not in an acquisition. The company can close up shop tomorrow and you're left with a great flowerpot for a computer box. So buy stuff that's standards based where there is some sort of transition path. My two biggest pieces of advice.

MR: Yep. That's great. Application security is a little interesting in that there really isn't -- I mean there's obviously a lot of technologies that are standardized, right, the programming language the protocols, how you do things, even some of the attack vectors tend to be fairly standardized but I wouldn't say that there's like something like kind of TNC in the NAC world. So again, does that change your opinion about standards at?

AS: No. So look, whoever said TNC is standard that anyone uses? But that's a podcast for a different day. By standards, I mean what format is your data being kept in, your reporting, your results? Can you take that out? Can you export that data that is being accumulated into another database? Do you have open database schema? Are these reports, are they crystallized or can they be run in Crystal?

How is that data stored? Where is that data stored? Do you have access to that data? If its proprietary type of formatting or what have you, that's what I'm talking about. Yeah, everybody's going to have their own special source about how they examine code or what have you. But at some point, there's an end product they give you, Mike, and that end product needs to be able to be leverageable.

MR: Yep. Now, that's a great point. So if you kind of think about again, from the customer viewpoint, I can sit and talk to the small vendor. I can talk to, obviously, the acquired part of this big vendor. Were there any cases where kind of the warmth or the, hey, nobody ever gets fired for buying from IBM or HP. Is there ever a time when that kind of consideration really overweighs some of the functionality or business requirements why you would be looking at certain product?

AS: Yeah. Well Mike, there is a certain analyst down Atlanta way who has this big is the new small thing that would have us believe that no one ever does get fired for buying IBM, or HP, or Cisco. And maybe you are better off dealing with the big vendor only so you don't have to deal the evitable consolidation and change that seems to be the life of smaller vendors. But that road is fraught with its own dangers as well, right.

There have been many large vendors who would've bought a smaller vendor only to see the founding team of that or a brain drain. And it may wind up taking a very long time for that product to fall apart but it may in fact fall apart. And the big vendor may have to scramble to actually have it keep up with your needs and the reason why you bought the darn thing.

MR: Yep, yep. And the one thing that I would add to that, Alan, is being the originator of this biggest is the new small idea is as a customer, you can't forget about the business requirements ever, right. At the end of the day, we are all kind of working for whoever it is that we're working for but we are tasked with meeting the business requirements of that specific organization.

So once you kind of understand that, if again, one man's opinion is if you can find two companies with equal types of capabilities to meet your requirements in a similar way, I think there's certainly some comfort in buying from the big vendor. But again, not at the point of kind of sacrificing functionality that you absolutely need to meet your business requirements.

AS: Yes sir. And you got to make sure the big vendor's committed to continuing to provide that product. A lot of these guys buy it as a checkbox, right. And if it's a checkbox that you want, that's fine. But if you want more than a checkbox, make sure they're not just checkboxing it.

MR: You bet. You bet. And that's a great place to kind of segue into the next section of the Mike Rothman Security Report, which is, of course, free associations. So Alan, what I'll do now is kind of blurt out one or two, or maybe three, if I'm feeling all funky today, terms. Give me one or two sentences in terms of what you think of these things. So first place to start; let's talk about Internet Security Systems. And obviously, being acquired by IBM last year, what do you think of these guys?

AS: Well, look, ISS -- the ISS/IBM acquire wasn't the ISS of its heyday, but it was still a formable security team. I think, frankly, they're having a tough time finding their way within the monolithic IBM world, and they're becoming less and less relevant in the space if you ask me. I mean I can't tell you. We never run into them. The only thing happening, I mean, that's the danger of big is the new small, right. IBM has the checkbox. They've got to security but is it still relevant to what some of the pure play security guys are doing.

MR: Yep. And while we're on this topic, let's blurt out the next one, which would be big security or Symantec and McAfee. What do you think about big security nowadays?

AS: So you can't do big security without Cisco either. Let's not --

MR: Good point.

AS: For all the talk, they're still making the most money, I think, from security. They have the most security revenue so it's tough to compete. Look, I'm a smaller vendor competing with these guys every day. And you have a Symantec or McAfee that each control, I don't know, what is Mike, 20, 30 million desktops? And they have an entry in every silo of the market. You got to pick your spots on when you can go against them. They have inherent advantages at every step of the way. Thank God, they still don't all execute perfectly and they're enough people out there who are willing to give innovation a try with a smaller company.

MR: You bet. And that's great. I want to thank Alan Shimel, my friend. You can find him -- well, Alan, why don't you tell us where we can find you out on the web.

AS: Okay. On the web, you can find me. I was going say anything. On a Friday night or Saturday but -- on the web you can find me at StillSecureafteralltheseyears.com which is my own personal blog where I blog on security, and life, and technology, and kids, and everything else. And I'm now a member of the Forbes.com community of bloggers for business and finance.

MR: Wow.

AS: So -- yeah, it just it means I get to run some ads Mike. But anyway, yeah, you can hear me on that or look around at some security shows. You'll usually see me hanging out by the bar.

MR: You bet.

AS: The shorter little gray-haired guy next to me.

MR: Yeah. And I don't know who the short guy --

AS: I'm the taller gray-haired guy.

MR: I don't know who you're talking about. Again, thank you Alan for being here. Thank everybody for listening to Mike Rothman Security Report here on ebizQ Network. We'll be back next month with another action packed, quick-paced podcast to talk about some topic that's of import to us application security professionals. That's great. Have a great month.